Saturday, December 17, 2016

MIRLN --- 27 Nov - 17 Dec 2016 (v19.17)

MIRLN --- 27 Nov - 17 Dec 2016 (v19.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENTS

[Sad] Note to Readers (Steptoe, 1 Dec 2016) - After nearly 18 years, E-Commerce Law Week will cease publication after this week. It's been a pleasure. [Polley : I was so sorry to read this; I've loved their droll, concise, informative weekly e-newsletter; if anybody has substitute-candidates to suggest, I'm all ears. In the meantime, hats-off and thanks to ECLW authors/producers Sally Albertazzi, Stewart Baker, and Mike Vatis.]

top

NEWS

ABA House is asked to accredit program that certifies lawyers as privacy law specialists (ABA Journal, 15 Nov 2016) - A program that certifies lawyers as privacy law specialists is expected to go before the ABA House of Delegates in February. The International Association of Privacy Professionals administers the certification program. If the ABA House approves accreditation, lawyers who meet the IAPP's standards could hold themselves out as privacy law specialists without violating state ethics rules that are based on the ABA model rules. Bloomberg BNA has a story . Recognition of the privacy law specialty could benefit both consumers and lawyers, according to Hofstra University law professor Ellen Yaroshefsky. "I think it's advantageous both to lawyers seeking to obtain business but also hopefully to clients who want to reach out to the most sophisticated lawyer they can find," Yaroshefsky told Bloomberg BNA. "Particularly because cyber and security and intellectual property are rapidly expanding fields, there is a perceived need to have a recognized specialty." Fourteen certification programs administered by seven private organizations are currently accredited by the ABA, according to Martin Whittaker, senior counsel for the ABA Center for Professional Responsibility. About a dozen state entities also certify specialties. The ABA Model Rules of Professional Conduct provide that lawyers shouldn't state or imply they are certified as specialists in a particular field of law unless they have been certified as specialists by a group that is approved by the appropriate state authority or that is accredited by the ABA. The IAPP certification program would require lawyers to pass the group's exam; pass a separate exam on legal ethics related to the practice of privacy law; and prove substantial involvement in the privacy law area for three years.

top

The secret agenda of a Facebook quiz (NYT, 19 Nov 2016) - Do you panic easily? Do you often feel blue? Do you have a sharp tongue? Do you get chores done right away? Do you believe in the importance of art? If ever you've answered questions like these on one of the free personality quizzes floating around Facebook, you'll have learned what's known as your Ocean score: How you rate according to the big five psychological traits of Openness, Conscientiousness, Extraversion, Agreeableness and Neuroticism. You may also be responsible the next time America is shocked by an election upset. For several years, a data firm eventually hired by the Trump campaign, Cambridge Analytica, has been using Facebook as a tool to build psychological profiles that represent some 230 million adult Americans. A spinoff of a British consulting company and sometime-defense contractor known for its counterterrorism "psy ops" work in Afghanistan, the firm does so by seeding the social network with personality quizzes. Respondents - by now hundreds of thousands of us, mostly female and mostly young but enough male and older for the firm to make inferences about others with similar behaviors and demographics - get a free look at their Ocean scores. Cambridge Analytica also gets a look at their scores and, thanks to Facebook, gains access to their profiles and real names. Cambridge Analytica worked on the "Leave" side of the Brexit campaign. In the United States it takes only Republicans as clients: Senator Ted Cruz in the primaries, Mr. Trump in the general election. Cambridge is reportedly backed by Robert Mercer , a hedge fund billionaire and a major Republican donor; a key board member is Stephen K. Bannon, the head of Breitbart News who became Mr. Trump's campaign chairman and is set to be his chief strategist in the White House. In the age of Facebook, it has become far easier for campaigners or marketers to combine our online personas with our offline selves, a process that was once controversial but is now so commonplace that there's a term for it, "onboarding." Cambridge Analytica says it has as many as 3,000 to 5,000 data points on each of us, be it voting histories or full-spectrum demographics - age, income, debt, hobbies, criminal histories, purchase histories, religious leanings, health concerns, gun ownership, car ownership, homeownership - from consumer-data giants.

top

FINRA fines Lincoln Financial sub $650,000 for cybersecurity shortcomings (Bracewell, 22 Nov 2016) - A Lincoln Financial Group subsidiary agreed to pay $650,000 to the Financial Industry Regulatory Authority (FINRA) to resolve allegations that it failed to implement sufficient security policies to protect confidential customer information after its web-based customer account database was hacked in 2012. The 2012 breach came on the heels of a $600,000 fine, imposed by FINRA in 2011, for lax security measures relating to its customer database. * * *

top

Ohio imposes tax on online retailers with no physical presence in state (Morgan Lewis, 22 Nov 2016) - The Ohio Supreme Court recently ruled that Ohio may impose its commercial activity tax (CAT) on out-of-state companies that sell products and services to Ohio customers-even if the companies have no physical presence in the state-if such companies have taxable gross receipts sitused to Ohio of at least $500,000. This ruling is yet another example of the increasing willingness of states to extend taxing jurisdiction to nonresident taxpayers that have business, but no physical presence, in a state. On November 17, a split Ohio Supreme Court held that the physical presence standard does not extend to a "business-privilege tax"-even if that tax is measured by receipts from sales of tangible personal property (similar to a sales tax). In a 5-2 decision, the Ohio high court held that "although a physical presence in the state may furnish a sufficient basis for finding a substantial nexus, Quill's holding that physical presence is a necessary condition for imposing the tax obligation does not apply to a business-privilege tax. . ." Rather, since the CAT is imposed only on retailers with at least $500,000 in Ohio receipts, the Ohio Supreme Court held that dollar "limit" is sufficient to establish the required substantial nexus for the imposition of a business-privilege tax. The dissenting judges in the case, by contrast, argued that the silence of the US Congress on nexus issues means that Quill's "physical presence" requirement should still apply, and that only the US Congress or the US Supreme Court can establish a new rule to determine substantial nexus. The tenor of the dissenting judges' opinion could signal that this decision may be appealed to the US Supreme Court.

top

Uber begins background collection of rider location data (TechCrunch, 28 Nov 2016) - Imagine you're on your way to a therapy appointment in a downtown high-rise. You hail an Uber and enter a nearby coffee shop as your destination so you can grab a snack before the appointment. In the car, you scroll through Instagram and check your email. You get out, buy your coffee, and walk around the corner to your therapist's office. If you installed the latest app update, Uber has been tracking your location the entire time. The app update (it's 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open - now, Uber asks users to always share their location with the ride-hailing company. Uber says that, even though it can harvest your location constantly while its app is running in the background on your phone, it won't use that capability. Instead, Uber claims it just needs a little bit more location data to improve its service, and it has to ask for constant access because of the way device-level permissions are structured. Specifically, Uber wants access to a rider's location from the moment she requests a ride until five minutes after the driver drops her off, even if the app is not in the foreground of her phone. Previously, Uber would not collect a rider's background location during the trip, or her location after drop-off. The company will use this information to improve drop-offs and pick-ups, which have consistently been a pain point for Uber and other ride-hailing services. The most common reason for riders and drivers to contact each other is to communicate their location when the app does not provide an accurate pinpoint, and Uber hopes to cut down on confusion during pick-up. Uber also wants to track how often riders cross the street directly after a drop-off, which the company believes could indicate a safety hazard. Riders shouldn't have to dart through traffic to get to their destination, a spokesperson explained, and tracking a user after drop-off can help the company detect whether the driver dropped their passenger off in a risky place.

top

- and -

New site visualises how you rode with Uber in 2016 (Mashable, 15 Dec 2016) - The folks at Uber have made " Year with Uber ", a data visualisation site that offers a view of your Uber riding pattern for the year. The site, which went live Thursday, asks you to log in, then presents you with information about your rides on the platform in 2016 via a click-through slideshow. * * * Alas, the site is only live for riders in Southeast Asian cities such as Singapore, Kuala Lumpur, Bangkok, Jakarta and Manila -- for now. Uber says it'll roll out to more countries progressively.

top

The surprising implications of the Microsoft/Ireland warrant case (Orin Kerr, 29 Nov 2016) - The Justice Department filed a petition for rehearing last month in the Microsoft/Ireland warrant case . Although I'm skeptical that rehearing will be granted, the Justice Department's petition includes some fascinating updates about the practical effect of the Second Circuit's decision. I looked into the Justice Department's allegations on my own, and I was able to get a better sense of what was happening. At the very least, it suggests that the Microsoft case is having some surprising implications. And in some cases, the result seems to be a significant mess. The Second Circuit's decision held that warrants for customer email are unenforceable when the provider opted to store emails on a server outside the United States. The statute only has territorial effect, the Second Circuit reasoned, and that means it doesn't apply to foreign-stored email. Treating the statute as a way to get email rather than a means of limiting access to email, the court ruled that the government couldn't use a domestic warrant to compel the disclosure of emails stored abroad. But here's the twist. The court's decision assumed that Internet providers knew where its customer emails were located and that emails could be accessed from those places. The Second Circuit's opinion therefore left the government with some options. In particular, the government could pursue foreign legal process through Mutual Legal Assistance Treaties for email that was stored abroad. It turns out that this assumption isn't necessarily right. And that is creating some significant headaches. Here's what the Justice Department says in its petition for rehearing: Unlike Microsoft, some major providers cannot easily determine where customer data is physically stored, and some store different parts of customer content data in different countries. Major U.S.-based providers like Google and Yahoo! store a customer's email content across an ever-changing mix of facilities around the world. To the extent content is stored abroad by the provider at the moment the warrant is served, the Opinion has now placed it beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic. At least in the case of Google, the information is also currently beyond the reach of a Mutual Legal Assistance Treaty request or any foreign law enforcement authority, because only Google's U.S.-based employees can access customer email accounts, regardless of where they are stored; indeed, Google cannot reliably identify the particular foreign countries where a customer's email content may be stored. Thus, critical evidence of crimes now rests entirely outside the reach of any law enforcement anywhere in the world, and the randomness of where within an intricate web of servers the requested content resides at a particular moment determines its accessibility to law enforcement.

top

Rule would treat email like other forms of 'instant' service (Florida Bar, 1 Dec 2016) - After the Bar Board of Governors balked at giving its endorsement, the Rules of Judicial Administration has altered a proposed procedural rule amendment affecting response times when documents are served via email. The Appellate Court Rules Committee also altered its request to be exempted from the proposed change, and instead suggests changes within the appellate rules. The board, at its July 29 meeting, considered amendments to the Civil Procedure Rules, the Rules of Judicial Administration, and the Appellate Court rules. The civil rule amendments corrected references to the Rules of Judicial Administration on email service. The RJA amendments removed email service from a subdivision that allowed five additional days for responding to service by regular U.S. Mail and removed email from a section that said email service would be treated as service via U.S. Mail for time computation purposes - which adds five days to those allowable times. Those changes would treat email like other forms of "instant" service such as fax, hand delivery, or service through the court system's statewide e-filing portal. When email service was first addressed in the rules several years ago, committee members said treating it as U.S. Mail delivery would encourage lawyers to use email service because of the extra response time it allowed. But they also said that extra time would likely be removed once email service was widely used. The appellate rule amendment specified that service by email in appellate matters be treated as service by U.S. Mail for time computations and exempted appellate email service from the time reductions in the RJA amendments. Board members said they were concerned that removing the five extra days could lead to "gamesmanship" with delivery of documents late in the day or before weekends to shorten the response time. They also expressed unease that exempting the appellate rules from the change would lead to inconsistency among rules. In response, the Appellate Court Rules Committee, when it met in October during the Bar's Fall Meeting, dropped its request for a blanket exemption. Instead the committee went through its rules and added to the computation of response time in more than 30 places where it felt more time was needed. That was approved by a 35-0 vote. The Rules of Judicial Administration Committee, which also met at the Fall Meeting, reaffirmed removing the extra five days from time computations with email service but also specified that the time computation would not begin until the day after the service, not counting weekends or holidays. Committee members, saying that would address the "gamesmanship" issues, approved that 34-0. The revised rules are expected to be presented to the board again at its January 20 meeting in Tallahassee.

top

Misconfigured drive exposes locations of explosives used by oil industry (SC Magazine, 5 Dec 2016) - Oil company Allied-Horizontal Wireline Services (AHWS) are reported to have misconfigured a storage device, which has resulted in the leak of the locations where it stores the explosives it uses. The company uses explosives to complete an oil-drilling process known as "perforation," which it is licenced to do by the US federal government. The device, exposed by security researcher Chris Vickery in October, also reportedly contained thousands of credentials of staff who work for the organisation and a variety of AHWS employee information. Alongside, other files showed the company's contracts with other oil companies, such as BP and Exxon.

top

Subscription surges and record audiences follow Trump's election (Columbia Journalism Review, 6 Dec 2016) - When CBS chairman Les Moonves said in February that the Donald Trump phenomenon "may not be good for America, but it's damn good for CBS," he likely didn't imagine his comment would apply to the entire news industry come December. While many in the media have expressed concerns over the impact a Trump administration could have on press freedoms, the president-elect's influence already is boosting news organizations' bottom lines. The New York Times said it signed up 10,000 new subscribers per day several times since the election, and the past few weeks recorded a 10-fold increase in new subscriptions over the same period last year. "Often after an election you expect a lull," Times president and CEO Mark Thompson said on Monday at the UBS Global Media & Communications conference in Manhattan. "We're not seeing that, we're seeing a surge." Thompson attributed the rise in subscriptions to "a dramatic increase in the willingness to pay for serious, independent journalism." He also said reaching the Times' goal of 10 million paid subscribers-up from 2.6 million today, about 1.5 million of which are digital-only-"is very possible for us." Most of the new subscribers are digital, though some opted for the Times in print. The company noted the increases are net of cancellations. He said consumers are more willing to pay for online content, driven by an acceptance of monthly fees for services like Netflix. While the Times holds a unique place in the media landscape, other major players across the industry have reported similar audience and subscription bounces. The LA Times saw a 60 percent increase in new digital subscriptions in the weeks following the election, a spokeswoman told CJR. For the month of November, the paper added more than four times as many new subscribers as it did during the same period in 2015. And the LA Times was not the only outlet in the publicly traded Tronc Inc. newspaper chain to report subscription increases; CNBC reported the chain saw an average gain in digital subscribers of 29 percent across its newspapers, which also include the Chicago Tribune and the Hartford Courant . While the Washington Post hasn't yet released specific numbers, a representative from the paper told CJR the Post has seen "a steady increase in subscriptions over the course of this year." The Wall Street Journal in the days after the election reported a 300 percent spike in new subscriptions.

top

T-Mobile announces Digits: one phone number for all your devices (The Verge, 7 Dec 2016) - T-Mobile just revealed its answer to AT&T's NumberSync technology, which lets customers use one phone number across all their connected devices. T-Mobile's version is called Digits and it will launch in a limited, opt-in customer beta beginning today before rolling out to everyone early next year. "You can make and take calls and texts on whatever device is most convenient," the company said in its press release. "Just log in and, bam, your call history, messages and even voicemail are all there. And it's always your same number, so when you call or text from another device, it shows up as you." When it leaves beta, Digits will cost an extra monthly fee, but T-Mobile isn't revealing pricing today. "This is not going to be treated as adding another line to your account," said COO Mike Sievert. "Expect us to be disruptive here." And while its main feature is one number for everything, Digits does offer T-Mobile customers another big perk: multiple numbers on the same device. This will let you swap between personal and work numbers without having to maintain separate lines and accounts. You can also give out an "extra set" of Digits in situations where you might be hesitant to give someone your primary number; this temporary number forwards to your devices like any other call. You can have multiple numbers for whatever purposes you want, based on T-Mobile's promotional video.

top

China stole data from major US law firms (Fortune, 7 Dec 2016) - A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government, according to evidence seen by Fortune. The incidents involved hackers getting into the email accounts of partners at well-known firms, and then relaying messages and other data from the partners' in-boxes to outside servers. In the case of one firm, the attacks took place over a 94 day period starting in March of 2015, and resulted in the hackers stealing around seven gigabytes of data, according to information obtained by Fortune . That figure would typically amount to tens or hundreds of thousands of emails. The information also revealed the thefts took place in one hour increments, and that the hackers returned repeatedly in search of new information. News of the law firm breaches surfaced earlier this year when the Wall Street Journal reported that hackers had penetrated the computer networks of Cravath Swaine & Moore, Weil Gotshal & Manges and other unidentified firms. The clients of these firms include many of the world's biggest companies, and they are privy to sensitive corporate information. The earlier news of the law firm breaches did not say who conducted the hacking, but Fortune has obtained reliable information that indicates the breach took place as part of a larger initiative by the Chinese government. This initiative also saw the hackers target big U.S. companies, including a major airline. The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.

top

- and -

Chicago law firm accused of lax data security in lawsuit (Bloomberg, 9 Dec 2016) - A federal judge on Friday unveiled a long sealed proposed class-action complaint that accused the law firm, Johnson & Bell, of failing to take adequate steps to protect the data on its servers. The case is currently proceeding in confidential arbitration and the complaint was filed in April by the plaintiff's firm Edelson P.C. on behalf of two of Johnson & Bell's onetime clients, Jason Shore, a California resident, and Coinabul, a Wyoming limited liability company. Johnson & Bell is a Chicago-based firm with about 100 attorneys and was ranked as the 385th largest law firm in the country, according to The American Lawyer. The complaint refers to Johnson & Bell "as a data breach waiting to happen" and claims the firm marketed itself as using top data security to protect its clients' information but in fact had numerous lapses, including - according to the complaint - an online time-keeping system that had not been updated in 10 years. Jay Edelson, the founder of Edelson P.C., said his firm has been conducting a wide-ranging investigation of law firms, and that he anticipates other judges may soon unseal lawsuits his firm filed against other law firms. The unsealed suit accused Johnson & Bell of using several internet-accessible computer networks, such as time-keeping system and its email system, which had not been updated with security patches. The case is Shore et al v. Johnson & Bell, filed in N.D. of Illinois, 16-4363. Read the complaint, via Bloomberg Law here .

top

Terror scanning database for social media raises more questions than answers (Motherboard, 9 Dec 2016) - On Monday, Facebook, Microsoft, Twitter, and YouTube announced a new partnership to create a "shared industry database" that identifies "content that promotes terrorism." Each company will use the database to find "violent terrorist imagery or terrorist recruitment videos or images" on their platforms, and remove the content according to their own policies. The exact technology involved isn't new. The newly announced partnership is likely modeled after what companies already do with child pornography. But the application of this technology to "terrorist content" raises many questions. Who is going to decide whether something promotes terrorism or not? Is a technology that fights child porn appropriate for addressing this particular problem? And most troubling of all-is there even a problem to be solved? Four tech companies may have just signed onto developing a more robust censorship and surveillance system based on a narrative of online radicalization that isn't well-supported by empirical evidence. Many companies-for example, Verizon, which runs an online backup service for customers' files- use a database maintained by the National Center for Missing and Exploited Children (NCMEC) to find child pornography . If they find a match, service providers notify the NCMEC Cyber Tipline, which then passes on that information to law enforcement. The database doesn't contain images themselves, but rather, hashes-digital fingerprints that identify a file. This means that service providers can scan their servers without "looking" at anyone's files. Thanks to PhotoDNA, a technology donated by Microsoft, the hashes are made using biometric information inside the photos and videos , meaning that cropping or resizing the files won't necessarily change the hash value being used. Monday's announcement marks the first time companies have sought to use this kind of technology to combat "terrorist content online." It's an odd match. The hash matching system appealed to many aspects of the fight against child pornography. For one thing it allowed companies to scan for files without finding out anything about non-matching files-so, arguably, without violating anyone's privacy, except with respect to possession of child porn. It also protected people from having to look at child porn in order to identify it-the very act of looking at child porn so it can be removed from the internet can be traumatic to the employees who are policing content on platforms. Neither of these specific upsides to the hash identification system seem to apply to "terrorist content," since the partnership appears to be aimed at publicly posted social media. (I asked Facebook via email whether the hash identification system would be applied to private messages between users, but did not hear back from the company). Furthermore, the companies have stated in their press release that a person on the other end will be looking at the content before taking it down. The press release implies, but does not explicitly say, that matching hits will not be provided to government officials, the way that hits for child pornography are. * * *

top

Google just published eight National Security Letters (TechCrunch, 13 Dec 2016) - Google dropped a single National Security Letter into its most recent transparency report without much fanfare, but today the company published eight more NSLs in an attempt to shed more light on government surveillance of Google users. The eight letters published today were sent to Google from FBI offices across the country. Cumulatively, the NSLs seek broad access to content for around 20 user accounts. The usernames of the targets are redacted, although the FBI does not require it. A Google spokesperson said the usernames were redacted to protect user privacy and that the targeted individuals had been notified. The NSLs were sent to Google over a five-year period, from 2010 to 2015, with the majority coming from the Charlotte, North Carolina field office of the FBI. Others came from Florida, Arizona, New York and California. NSLs have historically been issued with interminable gag orders preventing tech companies from discussing the letters or their contents, but the passage of the USA Freedom Act last year allowed companies to begin disclosing the letters. Yahoo became the first major tech company to disclose NSLs it received from the FBI, publishing three in June . Since then, Google and the Internet Archive have followed suit. Google has fought to make the letters public in part because the FBI can issue them without prior judicial oversight. Many tech companies have argued that, given the wealth of information held in their users' accounts, the data should not be subject to a secret search without the approval of a court. Over the past several years, Google challenged 19 NSLs in court and last year won the right to tell WikiLeaks employees that their data had been requested. Soon, Google will establish a home for its NSL disclosures as part of its transparency report, Salgado said. In the meantime, you can read the eight letters here .

top

GT partners with law firm to offer cyber security audits (CCH Daily, 13 Dec 2016) - Grant Thornton UK has teamed up with international law firm Lewis Silkin to launch a new data and cyber security audit service, which the firms say will help global organisations ensure they are compliant and minimise risks in the face of increasing data breach risk and regulation. The new service, called DataCheckPoint. Is based on an eight stage process including audits incorporating a new scoping and gap analysis methodology which caters for innovative reporting and effective compliance implementation programmes. Grant Thornton says the new service is designed to help clients prepare for the implementation of the general data protection regulation (GDPR) and the security of network and information systems directive (NIS Directive). Both pieces of legislation come into force from May 2018.

top

iPhone user can be forced to produce the passcode to his phone, court rules (Orin Kerr, 14 Dec 2016) - I have blogged a few times about the Fifth Amendment limits of forced decryption, especially in light of a case pending on the issue in the Third Circuit. Although that federal case is still pending, the Florida Court of Appeals (Second District) has handed down a new decision, State v. Stahl , on the same issue. Stahl holds that the government can force an iPhone user to hand over the passcode to unlock the phone so long as the government can show that the user knows the passcode. I think Stahl is correct, and I thought I would explain the case and its reasoning. The facts of Stahl are simple. Stahl has been arrested for allegedly surreptitiously taking pictures up the skirt of a female shopper in a clothing store. The police seized Stahl's iPhone 5, which they think he used to take the pictures. The police have a warrant to search the phone for the images he took to prove his crime. They can't get into the phone, however, because it is locked. The police asked Stahl for the passcode to his iPhone, but he refused to provide it. The government then sought an order compelling Stahl to produce the passcode. The issue in the case is whether the Fifth Amendment bars the order. The trial court concluded that it did because the government did not satisfy the foregone conclusion doctrine. Specifically, the government did not show with reasonable particularity what the contents of the phone were. The Court of Appeals disagreed, ruling that the Fifth Amendment doesn't bar the order under the foregone conclusion doctrine because it's the foregone knowledge of the password, not the contents of the phone, that matter. Here's the analysis from Judge Black : * * *

top

Google just dodged a privacy lawsuit by scanning your emails a tiny bit slower (The Verge, 14 Dec 2016) - Yesterday, Google tentatively agreed to a series of changes in the way it collects data from Gmail, as part of a proposed settlement in Northern California District Court. If the court approves the settlement, Google will eliminate any collection of advertising-specific data before an email is accessible in a user's inbox. The result likely won't be noticeable to users, but it represents a real change to the way Google's systems work, brought about after a voluntary settlement rather than a legal ruling. The case, called Matera vs. Google , began in September 2015, when plaintiffs alleged the email scanning violated California and federal privacy law, calling it "the twenty-first-century equivalent of AT&T eavesdropping on each of its customers' phone conversations, or of the postal service taking information from private correspondence." The suit was specifically brought on behalf of non-Gmail users, who haven't agreed to have their emails scanned under Google's Terms of Service. Because Gmail's ad-targeting system draws on every email a Gmail user receives, it inevitably catches some messages from non-Gmail addresses. Scans that take place before emails are available to the user are particularly sensitive, since they're not yet part of Gmail's inbox. In real terms, that gap lasts only a few milliseconds, but plaintiffs argued it still constituted a breach of both the federal Electronic Communications Privacy Act and the California Information Privacy Act. The fix for Google was simple enough: close the gap. Google will still preemptively scan emails for malware and spam filtering, but any advertising-specific scans will be reserved until the email is accessible to the user. Reached by The Verge , Google declined to comment, but confirmed that the settlement would result in concrete technical changes once approved. The plaintiffs lawyers did not respond to a request for comment. That might seem like a minor distinction, but it's one that's increasingly troublesome for email companies - and lucrative for plaintiffs. Yahoo settled a similar lawsuit in January of this year, agreeing to delay its ad-scanning systems and pay up to $4 million in fees to the attorneys who filed the case. Google has also agreed to pay any costs associated with this week's settlement, including up to $2.2 million in attorney fees and $2,000 for each of the class representatives.

top

Digital Millennium Copyright Act - DMCA agent revamp, act now (Hogan Lovells, 14 Dec 2016) - Online Service Providers (OSPs) must register under a new electronic system by December 31, 2017 but can, and should, as soon as possible. The U.S. Copyright Office has ditched the scanned paper system for registration of DMCA Agents. OSPs seeking safe harbor protections may now register using the new electronic system, which launched December 1, 2016. Only OSPs (e.g. providers of online services or network access including sites that allow posting of user-generated content) that have registered by December 31, 2017 will continue to have Section 512 protection. Since 2011 the Copyright Office has been considering revision of the DMCA Agent system, part of the Digital Millennium Copyright Act , enacted by Congress back in 1998, which enables online services providers to limit their liability for copyright infringement committed by their users. A condition of this "safe harbor" is that the OSP must designate an agent for receiving infringement claims both on the OSP's own website and through the Copyright Office's public directory of designated agents. Adapting to today's realities, the system will now be fully electronic. The new system completely replaces the former paper-based system - a reform that will be implemented by amending 37 CFR part 201.38 (full text here ). The change enables service providers to submit designated agent information more efficiently, the Copyright Office to load the information loaded more quickly, and the public to search it more easily, Filing fees have been reduced from the minimum $105 to a flat fee of $6 per designation (for each filing or amendment). Automated reminders will simplify keeping contact information up-to-date. The designation will now automatically expire after three years unless it is either renewed or confirmed to be still accurate. Online Service providers must submit new designations through the electronic system by December 31, 2017. The Office will no longer accept paper designations. Paper designations filed before December 1, 2016 will continue to satisfy the legal obligations of section 512 until the December 31, 2017 transition deadline. * * *

top

Germany-wide consortium of research libraries announce boycott of Elsevier journals over open access (BoingBoing, 15 Dec 2016) - Germany's DEAL project, which includes over 60 major research institutions, has announced that all of its members are canceling their subscriptions to all of Elsevier's academic and scientific journals, effective January 1, 2017. The boycott is in response to Elsevier's refusal to adopt "transparent business models" to "make publications more openly accessible." Elsevier is notorious even among academic publishers for its hostility to open access, but it also publishes some of the most prestigious journals in many fields. This creates a vicious cycle, where the best publicly funded research is published in Elsevier journals, which then claims ownership over the research (Elsevier, like most academic journals, requires authors to sign their copyrights over, though it does not pay them for their writing, nor does it pay for their research expenses). Then, the public institutions that are producing this research have to pay very high costs to access the journals in which it appears. Journal prices have skyrocketed over the past 40 years. No one institution can afford to boycott Elsevier, but collectively, the institutions have great power. The high price-ticket on journals means that the entire customer base for them is institutions, not individuals, and the increasing prices have narrowed the field of institutions that can afford to participate -- but that has also narrowed the number of institutions that need to cooperate to cripple Elsevier and bring it to heel. Even so, this kind of boycott was unimaginable until recently -- but the rise of guerrilla open access sites like Sci-Hub mean that researchers at participating institutions can continue to access Elsevier papers by other means.

top

Evernote's new privacy policy lets staff read customers' notes 'to improve the service' (MacRumors, 15 Dec 2016) - Some users of Evernote have threatened to stop using the note-taking service after the company announced a new privacy policy scheduled to go into effect on January 23 that allows employees to read customers' notes. The policy changes are related to machine learning algorithms, says Evernote, which are being tested on user content that the company has accumulated since going into operation. Specifically, Evernote explained that staff may need to read customer notes in order to ensure the algorithms are working as they should. The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content. While our computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should. In describing this position more succinctly, Evernote's privacy policy states that employees will look at notes "for troubleshooting purposes or to maintain and improve the Service". But some users are concerned about the vague wording of the clause, which journalist Stacy-Marie Ishmael has called " so broad as to be all inclusive ". Meanwhile, some users have taken to social media to join a growing chorus of revolt. Evernote says that only a limited number of employees who have undergone background checks will be able to access note content and that users can encrypt notes to prevent staff from reading them. But while users can opt out of having their notes reviewed for machine learning purposes, Evernote can still access content for other reasons, including violations of terms of service, to protect the rights, property, or personal safety of Evernote and its users, or to comply with law enforcement requests, warrants, or court orders. Users can read more about the new changes to Evernote's privacy policy here .

top

- and -

Evernote backs off from privacy policy changes, says it 'messed up' (ComputerWorld, 16 Dec 2016) - Evernote has reversed proposed changes to its privacy policy that would allow employees to read user notes to help train machine learning algorithms. CEO Chris O'Neill said the company had " messed up, in no uncertain terms ." The move by the note-taking app follows protests from users, some of whom have threatened to drop the service after the company announced that its policy would change to improve its machine learning capabilities by letting a select number of employees, who would assist with the training of the algorithms, view the private information of its users. The company claims 200 million users around the world. The machine learning technologies would make users more productive as they would allow the automation of functions now done manually, like creating to-do lists or putting together travel itineraries, O'Neill had said earlier on Thursday in defense of the proposed changes. Evernote employees would only see random content in snippets to check that the features are working properly but they wouldn't know who it belongs to, and personal information would be masked, he added. The changes to the privacy policy were to come into effect on Jan. 23.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Blog-aholics (The Atlantic, Jan/Feb 2006) -- Most of us will admit to wasting some time at work. But three new studies suggest that more time is lost now than ever before. According to a survey by the magazine Advertising Age, a leading culprit is Weblogs. The survey indicates that one in four U.S. workers reads blogs regularly while at work, losing, on average, some nine percent of the workweek. This amounts to 551,000 years of labor lost in 2005 alone. If only the bloggers whose words seem so compelling were the ones sending us e-mail: 34 percent of workers surveyed by Information Mapping, Inc. reported wasting thirty to sixty minutes a day trying to interpret "ineffectively" written messages. A third study offers comfort-or at least a way to pass the buck for all the lost time. Having examined productivity in nine countries, it concludes that 37 percent of the time spent at work is wasted-but that poor management and inadequate supervision are largely to blame.

top

Accessibility lawsuit against Target can proceed (ComputerWorld, 8 Sept 2006) -- A federal judge in San Francisco ruled Wednesday that a lawsuit filed against Minneapolis-based Target Corp. by the National Federation of the Blind (NFB) regarding the accessibility of the retailer's Web site can move forward. According to the NFB, the ruling sets a precedent establishing that retailers must make their Web sites accessible to the blind under the Americans with Disabilities Act (ADA). "This ruling is a great victory for blind people throughout the country," said NFB President Marc Maurer. "We are pleased that the court recognized that the blind are entitled to equal access to retail Web sites." When asked if the NFB would file lawsuits against other online retailers and sites, spokesman John Pare said, "You probably could imagine that we would."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top